https://kb.vmware.com/s/article/1006734


 Symptoms
  • While deploying a pool, virtual machines are stuck with a status of Customizing on the Virtual Machines tab.
  • Connection to the virtual desktop fails.
  • You receive this pop-up message:

    The connection to the remote computer ended
     
  • In the debug-timestamp.txt log file of the View Agent, you see the error:

    DEBUG <theTopicMessageManager> [JmsManager] Unable to connect to JMS server com.vmware.vdi.agent.messageserver.JmsManager.a(SourceFile:238)
    javax.jms.JMSException: Unable to create a connection to: [[ServerEntry, hostname=<VDM CONNECTION SERVER>, port=4001]]

     
  • In the debug-timestamp.txt log file of the View Connection Server, you see the warning:

    WARN <Tunnel#1> [r] (57A52D9B20F08C9B788FFE22380F92DD) Problem starting channel 0 for Port1: Failed to allocate onbound connection to <VDM AGENT IP ADDRESS>:3389 - java.net.SocketTimeoutException: Onbound connection timed out com.vmware.vdi.ice.server.r.c(SourceFile:624)
    com.vmware.vdi.ob.tunnelservice.u: Failed to allocate onbound connection to <VDM AGENT IP ADDRESS>:3389 - java.net.SocketTimeoutException: Onbound connection timed out


    Note: For more information on the location of the View log files, see Location of VMware View log files (1027744).
 Resolution
There are different paths or legs of connection between the client and the desktop virtual machine, and connectivity issues may be caused by failure of any of the connection legs.

For more information on Horizon 7 ports see, Network Ports in VMware Horizon 7.

View Client-Connection Server Issues
  • Failure in one branch
  • Incorrect Internet setting on the client computer
  • Inability to resolve DNS name of the connection server
Connection Server-View Agent Issues
  • Resolving the DNS name.
  • Agent establishes JMS communication with connection server
  • Connection server and security server establish an RDP connection
  • Security server establishes a JMS communication with its connection server
Testing Methods
  1. Log in to a virtual desktop.
  2. Click Start Run, type cmd, and click OK. The Command Prompt window opens. For more information, see Opening a command or shell prompt (1003892).
  3. Ensure that the desktop can resolve the DNS name of the connection server(s) and that the IP address resolved is the correct IP address for the connection server.

    Run the nslookup cs_hostname command.
     
  4. Ensure that the agent can communicate with the connection server over port 4001 and 4002. These ports are the first example.

    The latest Horizon version will use 4002 by default and for older version 4001 is used by default. 4001/4100 are used for secure handshaking to set up 4002/4101. We pass signed messages over the first two ports carrying credential data for the other two.
  • Run the telnet cs_hostname 4001 command.
  • Run the telnet cs_hostname 4002 command.
 Horizon Connection   Server TCP  4100  JMS to replica Horizon Connection Server for   redundancy and scale
 TCP 4101 JMS SSL to replica Horizon Connection Server to   redundancy and scale
If you receive a connection error, check if a firewall or anti-virus is enabled on the virtual desktop, connection server, or in the network infrastructure between the two points.
  1. Repeat these steps according to the port requirements listed below. You may need to adjust where the test is run in step 1. Choose the appropriate location according to the descriptions below.

Client-Server Issues
  • Failure in one branch: You must isolate which step is failing. The location of the problem is usually clear from the error messages on the client side. For example, the client displays VDM Server connection failed or A secure connection to the VDM Server cannot be established if the client-connection server connectivity leg fails. Another possibility is, that after the connection server is contacted and list of desktops displays, opening a desktop fails. The server-desktop-virtual machine connectivity must be investigated.
     
  • Incorrect Internet setting on the client computer: If you cannot connect to the server with a Microsoft Windows Client, try to access this server with Microsoft Internet Explorer, using HTTP or HTTPS. If you do not see the login page, apply general troubleshooting techniques to resolve the issue.
     
  • Inability to resolve DNS name of the connection server: You can determine if it is an inability to resolve DNS name when the login page is shown, and you enter the valid credentials, you receive an error message related to the secure connection unable to start. The most common reason for the error is that the client or proxy server is unable to resolve the DNS name of the connection server. When the client successfully authenticates to the connection server, the server directs the client to open a secure connection, If it cannot be resolved by the IP address of the broker computer, the secure connection setup fails. If the browser is configured with an HTTP proxy Web access, the proxy server has to resolve the fully qualified domain name (FQDN). Configure the VDM server to report its externally visible DNS name or IP address in the external URL setting.

    When there are external and internal users who access VDM, and there is no common IP address or domain name, set up two or more identical connection servers and use one group for internal users and the second one for external users.

    To override the external URL, do the following:
    1. Create the file C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf\locked.properties.
    2. Add the line:
      clientHost=desired-FQDN-or-IP-address

      If a load balanced setup is used, the initial connection is made to the LB address and a secure connection is made directly to the server.

Server-Desktop Issues

For successful communication between the server and the desktop virtual machine:
  • Resolving the DNS name: The communication server's DNS name must be resolvable.
     
  • Agent establishes JMS communication with connection server: The Agent must establish JMS communication with the connection server using FQDN and TCP port 4001. This port can be checked by issuing the command telnet <connection server DNS name> 4001 from the command prompt at the desktop virtual machine. If the connection is established, network connectivity is working. The connection to port 4001 may have failed because of firewalls on the desktop, connection server, the network infrastructure, DNS address resolution issues, or JMS router not working on the server.
In Horizon 7, the port 4002 should be used instead of 4001, the Horizon uses Enhanced security mode by default until changed. For more information view pre-requisites section available at Change the JMS Message Security Mode to Enhanced.
  • Connection server and security server establish an RDP connection: The connection server and security server must establish an RDP connection to the desktop virtual machine using its last reported IP address and port 3389. If the security server is deployed in the DMZ, exception rules must be created in the inner firewall to allow RDP connectivity between the security server and all desktop virtual machines. If you bypass the secure connection, the client must establish a direct RDP communication to the desktop virtual machine over RDP (port 3389).
     
  • Security server establishes a JMS communication with its connection server: The security server must establish a JMS communication with the connection server with which it is associated. The FQDN of the connection server must be added to the local host's file to support this connection. The security server has to establish a connection over the AJP13 protocol with the connection server using port 8009.